You may have just noticed this problem after upgrading a Sonatype server product version that includes its own OpenJDK distribution.

You may have noticed this problem after upgrading the Java version that a Sonatype server product is using to Java 8u181 or newer.

You may have noticed this problem after the Java version being used by your Sonatype server product was automatically updated to a newer version in the background as part of the Java built-in automatic updates.

Cause

core-libs/javax.naming ➜ Improve LDAP support Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

Solution

Java is trying to make sure the host name in your connection configuration matches the host names in the remote LDAPS TLS server certificate and that those host names in the certificate are valid. The correct solution for a secure connection is to have your LDAP server administrators correct the LDAPs certificate the ldap server is using so that the improved endpoint identification algorithms work. This is for your own protection.

Workaround

The workaround in the release note is brute force and optional. It disables secure some LDAP secure connection validation. If you care enough about having a secure connection to your LDAP server, you won't use this workaround long term.

The workaround can be used if you have no other quick solution to correct the remote LDAP server certificate.

Use the supported server methods to set a Java system property as the Java release note advises.

Nexus Repository Manager 3x

Add a new line to <app-dir>/bin/nexus.vmoptions :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Restart repository manager.

Nexus Repository Manager 2x

Edit <app-dir>/bin/jsw/conf/wrapper.conf. Add a new entry for wrapper.java.additional setting , not re-using any previous numbered item: